Google, Innovation & Trust

Today a piece I wrote for Harvard Business Review hits the “virtual” stands.  There are times when researching a hot topic is a curse (Mr. Snowden made privacy and surveillance touchy) but there are other times when it is a blessing.  The Google European Court of Justice’s (ECJ) decision  or “Right to be Forgotten” case has given me a chance to showcase the importance of privacy and data protection in the business world.

I have written a few pieces about data as it pertains to the financial services (here and here), and on the clash of US and EU privacy cultures and its impact on transatlantic counter-terrorism cooperation. The HBR piece focuses on how privacy can lead to profit and it draws heavily upon my interviews with the IT and corporate communities while I was in Europe.

In the popular imagination, the internet exists as a borderless world. In reality, there are many internets, and the rules that govern each of them reflect local beliefs about the role and responsibility of technology within society. The ECJ ruling classified Google as a data controller, and therefore under obligation to remove certain links to personal data upon an individual’s request, and it is a prime example of how localized privacy cultures and laws can assert themselves beyond their sovereign borders.  Although it specifically mentions search engines, it has implications for multinationals as well.

I think that the IT world was shocked by the ECJ decision because it holds the borderless internet view, it sees any curb on the free flow of information as censorship and a threat to its business model, and it is accustomed to the US-based view of data as property where corporations self-regulate data collection and usage.  Also, the Judge Advocate’s opinion, which concluded Google was not a data controller, set expectations for the final outcome of the case.

As the EU itself has been trying to figure out the legalities of balancing human rights with good commerce, the legislative ambiguities of the EU Data Protection Directive have in the past provided businesses, including European companies, with some wiggle room.  The ECJ verdict tightened the space to wiggle in some instances, but legal instruments are notoriously difficult to rely upon for definitions or guidelines for enforcement when applied in practice.

Problems of balance remain.  There is the balance of responsibilities between controllers and processors (are these distinctions even the way forward? One interviewee said we need to think of this in terms of accountability), the balance between human rights and national security, and human rights and the economy, the balance among differing views of privacy, and the realities that the physical structures in which the internet operates are transnational, which make it difficult to restrict the flow of data to certain transmission paths, let alone implement regional or national standards when doing so.  “You shouldn’t, and can’t, make Europe an island.”

No, the ECJ ruling does not mean you can be completely forgotten once you are on the global information superhighway, but it does mean that there are opportunities for government and business to innovate how data is managed, transferred, and used.  In short, legal instruments are not enough, the private sector needs to take privacy beyond compliance because its clients are demanding protections even when the law doesn’t require it.  In the HBR piece, I assert that this is part of a growing trend, spearheaded by consumers themselves (in the US, they talk about consumers, in the EU they speak of individuals) who believe that corporations feel entitled to use every bit of information they can find as part of a ‘big data’ marketing plan to endlessly feed algorithms for their own profit.  American IT firms did not help this image either.   EU legislators and privacy activists were not accustomed to the aggressive nature of US style K-Street lobbying in Brussels as IT firms campaigned against aspects of the new EU Data Protection Regulation.  The Snowden revelations only added fuel to their ire.  But this disgust has not been confined to the EU, Americans are increasingly suspicious of where their information flows end up too.

I have spoken about trust on this blog before regarding regulatory-corporate relations, but it applies here as well.  Corporations have to maintain the trust of their clients to keep them, whether they refer to them as individuals or consumers, and treat their data with respect. Individuals have a strong sense of ownership over their data because it reflects their personal choices, and while some consumers love the convenience that data analytics provides, some do not.  So I ask (somewhat rhetorically because I know there are some efforts, but will tackle them in later posts) businesses to consider services for those who want (and legally demand) more control over their data.

The HBR article touches upon some fundamental issues and I hope to follow up with another piece that connects data privacy to data security.  Unfortunately it is often treated as a separate issue, but privacy, security, and trust are endemic to any business relationship and when done right, they are, again, profitable.

The Problem of Trust

I’ve been examining the politics of money for over 10 years.  Most of those efforts have gone into understanding how executive-level politicians make decisions that affect the governance of the international monetary system.  In the past few years I’ve gotten more into the financial services side of things, which requires a different kind of thinking.

When you want to know how an industry ticks you have to interact with them.  I know that sounds like a no-brainer, but some academic research lacks that touch.  The only way to understand a group is to mingle, learn the jargon, ask a lot of questions, and play devil’s advocate, nicely.  You can’t do that with a survey and you certainly aren’t going to gain their trust to get them talking and eventually understand their perspectives without showing you are interested in establishing a professional relationship.  This is true when you do research with politicians or really anyone in a decision-making capacity.  You are asking them to describe the challenges they face and frustrations and they have to know that you do not have an agenda – you want to ‘get it right.’

So as building trust underlies the research process, the same principles apply to the business of finance.  Bankers make money for their clients so it is profit driven, and by default this means it is also relationship driven.  The trust between client and financial representative is at the heart of the industry wealth and money is personal.  And, the lack of trust among finance and regulators is, in my mind, problematically related.

Last week I went to London to attend the Future of Financial Standards conference sponsored by the SWIFT Institute and the LSE Standards Forum Team.   It brought together most of the major players, former regulators (a current regulator in the form of the keynote speaker Commissioner O’Malia of the Commodity Futures Trading Commission (CFTC)), bankers, statisticians, academics and a few technology experts (coding, database operations and design).  The mind mapping boards below illustrate an outline of discussions.

To summarize: Regulations are often written by politicians and lawyers who do not have a working understanding of how financial markets operate or how their databases are structured.  Each national regulator wants different types of information, which pose problems for financial institutions that operate in many states.  Standards in financial language are notoriously difficult to establish because products are classified in different ways across firms, markets, and within regulations.  This makes it very difficult to collect and report accurate data and comply with these regulations.  Data taken from one type of database cannot easily be transferred to another database (it might show errors in one and not another) because of coding issues, so there’s an inconsistency in the IT as well.

The general consensus was that regulators, bankers, and tech people all see the problem from different angles; they blame each other for reporting shortcomings, but they agree they should talk more to each other too.

And yet, most participants saw a solution that involved the industry setting the standard on its own and then presenting it to regulators.  You can see the disconnect from the process and the solution, right?  They are all mutually dependent, yet still thinking sectorally.  Unfortunately, this attitude also pervades regulatory and legal thinking.

One panelist hit the nail on the head though – trust.  Regulators aren’t going to listen to the industry because they do not trust it.

Does the industry know its business better than regulators? Yes.  Does it have more resources? Yes. Do regulators and banks have different objectives? Not really, no.  (They both like stability and manageable risk, but yes they do have different roles in promoting these aims.) Do they have different opinions about what this is and how to do this? Yes.

As one participant told me, “Every suggestion is not an attempt to hijack the process and assert corporate interests.  There are international standards that have been in place for a while now, like the ISO, which are a good starting point.”

The (not new) lesson here is that the financial services has a reputation problem with officials (and some of their clients) that requires a change in its culture.  Building trust with regulators means that a relationship must be cultivated, just like they do with their clients.  But, have we come too far off the track to mend it?  I don’t think so.

Data is the foundation for the financial services industry.  I argue that record keeping and reporting is good for business because it helps banks take stock of what they have, what their employees are doing, and highlights areas where they can offer their clients better services. Accurate record keeping costs less in the long run and means that officials are less apt to come knocking on their doors for miss-behaviors.  The more that the industry does on its own the more that they will make money and by default improve that regulatory relationship.

Similarly, regulatory officials might get more bees to the honey if they understood how financial  IT networks worked, how these companies recorded their data (or not) and began to talk a little in terms of profits.  Governments have to learn to speak in terms that finance understands rather than dictate terms or make threats.  This tactic does not mean that regulators will get what they want – it just causes confusion and produces complaints about costs.  The data they end up getting is not the quality they expect either.

The forum did an excellent job of presenting the problem of banks faced complying with regulation – it is a technical problem; a language problem; a communication problem; and ultimately a cultural problem.  The culture problem, which exists on both sides of the coin (If we add the technologists then we need a 3 sided die) is more difficult.

There are some trying to bridge the divide and emphasize Corporate Responsibility, or Corporate Social Responsibility. (i.e. Ruggie, and Abbott and Snidal)., but I think we need to examine the regulatory mindset too.  It starts with the realization that the effort is worthwhile both for profit and for the whole of society, and that the time invested to build that trust produces a system in which we all can live and prosper.